Vulnerabilities > WOW Company > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-01 | CVE-2023-23984 | Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Bubble Menu Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Bubble Menu – circle floating menu plugin <= 3.0.1 leading to form deletion. | 5.4 |
| 2023-02-17 | CVE-2023-0895 | Unspecified vulnerability in Wow-Company WP Coder The WP Coder – add custom html, css and js code plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in versions up to, and including, 2.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 4.9 |
| 2022-05-20 | CVE-2022-29447 | Files or Directories Accessible to External Parties vulnerability in Wow-Company Hover Effects Authenticated (administrator or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Hover Effects plugin <= 2.1 at WordPress. | 4.0 |
| 2022-05-19 | CVE-2022-29446 | Files or Directories Accessible to External Parties vulnerability in Wow-Company Counter BOX Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Counter Box plugin <= 1.1.1 at WordPress. | 4.0 |
| 2022-03-28 | CVE-2021-25064 | SQL Injection vulnerability in Wow-Company WOW Countdowns The Wow Countdowns WordPress plugin through 3.1.2 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection. | 6.5 |
| 2022-01-10 | CVE-2021-25051 | Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Modal Window The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | 5.1 |
| 2022-01-10 | CVE-2021-25052 | Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Button Generator The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | 5.1 |
| 2022-01-10 | CVE-2021-25053 | Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company WP Coder The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | 5.1 |
| 2022-01-10 | CVE-2021-25054 | SQL Injection vulnerability in Wow-Company Wpcalc 2.1 The WPcalc WordPress plugin through 2.1 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability. | 6.5 |
| 2021-11-08 | CVE-2021-24628 | SQL Injection vulnerability in Wow-Company WOW Forms 3.1.3 The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection | 6.5 |